CVE-2021-21224
published 2021-04-26CVE-2021-21224: Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
57.74%
99.0th percentile
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 90.0.4430.85-1 | 90.0.4430.85-1 |
| chromium | chromium | >= 0 < 90.0.4430.85-1 | 90.0.4430.85-1 |
| chromium | chromium | >= 0 < 90.0.4430.85-1 | 90.0.4430.85-1 |
| chromium | chromium | >= 0 < 90.0.4430.85-1 | 90.0.4430.85-1 |
| debian | chromium | < chromium 90.0.4430.85-1 (bookworm) | chromium 90.0.4430.85-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 90.0.4430.85 | 90.0.4430.85 | |
| chrome | >= unspecified < 90.0.4430.85 | 90.0.4430.85 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for outbound HTTPS connections to media-seoengine[.]com as a C2 indicator for the PuzzleMaker remote shell payload. ↗
- →The CVE-2021-21224 exploit was publicly demonstrated on GitHub on April 14, 2021, targeting Chrome 90.0.4430.72 via a V8 Typer Mismatch (issue 1195777); monitor for in-the-wild use against unpatched Chrome versions prior to 90.0.4430.85. ↗
- ·The full RCE JavaScript exploit for CVE-2021-21224 was never recovered by Kaspersky researchers; attribution to this CVE in the PuzzleMaker attack chain is based on circumstantial timing evidence, not confirmed exploit retrieval. ↗
- ·The exploit was chained with EoP vulnerabilities CVE-2021-31955 and CVE-2021-31956 (patched June 8, 2021); detection of CVE-2021-21224 exploitation alone may not indicate full compromise without also checking for the kernel-level EoP stage. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g2xr-gx3h-vpc9: Type confusion in V8 in Google Chrome prior to 90
ghsa_unreviewed·2022-05-24
CVE-2021-21224 [HIGH] CWE-843 GHSA-g2xr-gx3h-vpc9: Type confusion in V8 in Google Chrome prior to 90
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
OSV
CVE-2021-21224: Type confusion in V8 in Google Chrome prior to 90
osv·2021-04-26·CVSS 8.8
CVE-2021-21224 [HIGH] CVE-2021-21224: Type confusion in V8 in Google Chrome prior to 90
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-21224 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/7eba2235c681
Remediation Due: 2021-11-17
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-21224 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-21224
Remediation Due Date: 2021-11-17
Chrome
Stable Channel Update for Desktop: CVE-2021-21222
vendor_chrome·2021-04-20·CVSS 6.5
CVE-2021-21222 [HIGH] Stable Channel Update for Desktop: CVE-2021-21222
Stable Channel Update for Desktop
CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30 [$TBD][ 1195308 ] High CVE-2021-21223: Integer overflow in Mojo
Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02 [$TBD][ 1195777 ] High CVE-2021-21224: Type Confusion in V8
Severity: high
Microsoft
Chromium: CVE-2021-21224 Type Confusion in V8
vendor_msrc·2021-04-13·CVSS 8.8
CVE-2021-21224 [HIGH] Chromium: CVE-2021-21224 Type Confusion in V8
Chromium: CVE-2021-21224 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
This vulnerability was addressed in Microsoft Edge (Chromium-based) in build 90.0.818.41 which was released April 16, 2021.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
90.0.818.46
4/15/2021
90.0.4430.85
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest
Debian
CVE-2021-21224: chromium - Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote att...
vendor_debian·2021·CVSS 8.8
CVE-2021-21224 [HIGH] CVE-2021-21224: chromium - Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote att...
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 90.0.4430.85-1)
bullseye: resolved (fixed in 90.0.4430.85-1)
forky: resolved (fixed in 90.0.4430.85-1)
sid: resolved (fixed in 90.0.4430.85-1)
trixie: resolved (fixed in 90.0.4430.85-1)
No detection rules found.
No public exploits indexed.
Securelist
Ten most mysterious APT campaigns that remain unattributed
blogs_securelist·2022-10-07
Ten most mysterious APT campaigns that remain unattributed
Table of Contents
- 1. Project TajMahal
- 2. DarkUniverse
- 3. PuzzleMaker
- 4. ProjectSauron (aka Strider)
- 5. USB Thief
- 6. TENSHO (aka White Tur)
- 7. PlexingEagle
- 8. SinSono
- 9. MagicScroll (aka AcidBox)
- 10. Metador
- Conclusion
Authors
- Costin Raiu
Targeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies. The reason is that, while in 90% of cases it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim’s infrastructure and to leave as few traces as they can. They implement a variety of techniqu
Securelist
TOP 10 unattributed APT mysteries
blogs_securelist·2022-10-07
TOP 10 unattributed APT mysteries
Table of Contents
1. Project TajMahal
2. DarkUniverse
3. PuzzleMaker
4. ProjectSauron (aka Strider)
5. USB Thief
6. TENSHO (aka White Tur)
7. PlexingEagle
8. SinSono
9. MagicScroll (aka AcidBox)
10. Metador
Conclusion
Authors
Costin Raiu
Targeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies. The reason is that, while in 90% of cases it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim’s infrastructure and to leave as few traces as they can. They implement a variety of techniques to make inve
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Fortinet
The Definition and Examples of Exploit Kits | Fortinet Blog
blogs_fortinet·2022-01-27
The Definition and Examples of Exploit Kits | Fortinet Blog
INDUSTRY TRENDS & INSIGHTS
The Definition and Examples of Exploit Kits
By Aamir Lakhani | January 27, 2022
In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware like ransomware or viruses. The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example.
The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities. Of course, cybercriminals love having more systems to attack with exploit kits.
What Is An Exploit Kit?
Exploit kits (EKs) are automated programs used by cybercriminals to ex
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Securelist
PuzzleMaker attacks with Chrome zero-day exploit chain
blogs_securelist·2021-06-08·CVSS 5.5
[MEDIUM] PuzzleMaker attacks with Chrome zero-day exploit chain
Table of Contents
- Remote code execution exploit
- Elevation of privilege exploit
- Malware modules
- IoCs
Authors
- Costin Raiu
- Boris Larin
- Alexey Kulaev
On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.
The elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 – RS5, 18362 – 19H1,
Securelist
PuzzleMaker attacks with Chrome zero-day exploit chain
blogs_securelist·2021-06-08·CVSS 5.5
[MEDIUM] PuzzleMaker attacks with Chrome zero-day exploit chain
Table of Contents
Remote code execution exploit
Elevation of privilege exploit
Malware modules
IoCs
Authors
Costin Raiu
Boris Larin
Alexey Kulaev
On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.
The elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 1
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.htmlhttps://crbug.com/1195777https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4906https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.htmlhttps://crbug.com/1195777https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4906https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21224
2021-04-26
Published
2021-11-03
Added to CISA KEV
Exploited in the wild